FATF Targeted Report on Stablecoins and Unhosted Wallets: ML/TF/PF Risks and Recommendations

April 15, 2026

The FATFs Targeted Report on Stablecoins and Unhosted Wallets

Niall Esler, Lucy Frew, Chris Hutley-Hurst, Dilmun Leach, Gemma Palmer, Leonie Tear, Iona Wright Walkers + Follow Contact LinkedIn Facebook X Send Embed

Key Takeaways

• A new report from the Financial Action Task Force highlights illicit finance risks linked to criminals' misuse of stablecoins, particularly through peer-to-peer transactions via unhosted wallets, and sets out recommended actions to strengthen controls to protect the integrity of the financial system.

• The report highlights that the majority of ML/TF involving digital assets involves stablecoins, being the most popular digital asset for illicit transactions, particularly in the secondary market.

• This Report provides recommended actions that stablecoin issuers should take into account when building out compliance programs to mitigate ML/TF/PF risks connected with the stablecoin ecosystem and sets out typologies of stablecoin misuse.

What are FATF's findings on stablecoins and unhosted wallets?

On 3 March 2026, the Financial Action Task Force ('FATF') published a report titled 'Targeted Report on Stablecoins and Unhosted Wallets: Peer-to-Peer Transactions' (the 'Report') which highlights the money laundering, terrorist financing and proliferation financing ('ML/TF/PF') risks and vulnerabilities associated with stablecoins, particularly in connection with peer-to-peer ('P2P') transactions via unhosted wallets. This advisory summarises the findings in the report and provide insights from our Regulatory & Risk team in Bermuda, British Virgin Islands (BVI), Cayman Islands, Guernsey, Ireland and Jersey offices.

The Report states that stablecoins are the most popular virtual assets used in illicit transactions with the majority of this activity occurring in the secondary market. However, this may reflect that stablecoins now hold a significant market proportion in the digital asset economy and are likely being used in a similar manner to fiat, which remains untraceable, quick to trade and a popular way to wash dirty proceeds.

Stablecoins have the distinctive characteristics of purported price stability, high liquidity and interoperability with the traditional finance system which, coupled with ease of cross-border transfer, means they mirror fiat currency and are attractive for legitimate use but also for criminal misuse. Digital assets are generally more susceptible to misuse by cybercriminal groups due to the online nature of exchanges and speed of transactions. According to the Report, threat actors are increasingly using stablecoins in P2P transactions via unhosted wallets to effect ML/TF/PF schemes. Unhosted wallets are not subject to the same controls that apply to wallets offered by regulated financial institutions that are generally required to comply with the travel rule.

According to FATF, the blockchain-based architecture of stablecoins both helps and hinders AML/ATF oversight. Although every transaction is immutably recorded on public blockchains, these records, in FATF's view, lack critical context and are pseudonymous. As such the collection of CDD information including geographical location, in line with FATF Recommendations 10 and 15 is critical to ensure that law enforcement has the ability to obtain information from DABs.

What are the good practices that FATF has identified to mitigate the misuse of stablecoins?

The Report notes that, to date, a relatively small number of jurisdictions have implemented regulation for stablecoins that explicitly takes into account their characteristics that differ from other digital assets. The Report identifies a range of good practices that can be implemented by jurisdictions to help mitigate the misuse of stablecoins. These good practices include:

• imposing clear AML/ATF obligations, as detailed in Recommendation 15 of the FATF Standards, on participants in the stablecoin ecosystem including digital asset businesses ('DABs');
• the application of controls by stablecoin issuers to stablecoin transactions, such as using the programmability afforded to smart contacts to either allow certain wallet addresses to transaction in the stablecoin (allow-listing) or prevent certain wallet addresses from transacting in the stablecoin (deny-listing) and implementing technical measures to block, freeze or withdraw stablecoins if there are transactions to or from non-allowed-listed or deny-listed wallets;
• using advanced tools for detecting and monitoring suspicious transactions, such as blockchain analytics tools;
• implementing effective supervision of stablecoin issuers and other entities involved in stablecoin arrangements which may include cooperative frameworks that bring together home and host supervisors to share information and coordinate supervision of relevant entities thereby helping address cross-border oversight challenges;
• robust public-private sector collaboration to enhance understanding of evolving trends, strengthen co-operation on typologies and risk indicators and build the knowledge and skills of relevant experts thereby strengthening the integrity and security of the stablecoin ecosystem;
• following investigative leads in relation to the misuse of stablecoins; and
• implementing ML/TF/PF risk mitigation measures in relation to unhosted wallets and P2P transactions, such as DABs limiting the amount of funds that can be transferred by their customers to unhosted wallets, DABs applying enhanced customer due diligence ('CDD') measures for transactions with unhosted wallets, DABs using blockchain analytics tools to determine the risk-level of their customers' counterparties who own unhosted wallets, entities involved in stablecoin arrangements subjecting unhosted wallets to AML/CFT obligations (such as CDD at issuance and redemption) and prohibiting or denying licenses to platforms that allow transfers to unhosted wallets.

Commentary from our Bermuda office

Bermuda has several licensed stablecoin issuers already in Bermuda and more in the pipeline. The attraction is no doubt in part down to the flexible but robust approach of the Bermuda Monetary Authority ('BMA') that includes permitting licensed entities to issue yield bearing stablecoins, subject to appropriate risk management and reserve backing asset controls.

Stablecoin issuers are required to be licensed as digital asset businesses under the Digital Asset Business Act 2018 ('DABA'). DABA licensed entities are 'regulated financial institutions' for the purposes of the Proceeds of Crime Act 1997 and therefore required to comply in full with Bermuda's AML/ATF regime. The regime addresses and mitigates the risks identified by FATF in the Report, with BMA expectations and industry norms going beyond standard KYC, ongoing monitoring, reporting and record-keeping standards.

For example, stablecoin transfers made from a customer wallet to a customer wallet (i.e. where the institution itself is not a counterparty) are subject to the travel rule such that sender and recipient information must travel with the transfer, mitigating risk significantly.

Whilst FATF flags the lack of information on the geographical location of underlying wallets that may undermine regulators' ability to cooperate effectively with relevant foreign counterparts, for the majority of regulated financial regulations in Bermuda, geographic location tools are secondary and complimentary to proof of address verification requirements and OFAC wallet screening as standard compliance tools.

Allow-listing and deny-listing are also standard expected controls by the BMA, although as a flexible regulator, the BMA will assess all mitigating controls to determine if they are adequate.

The BMA will require reassurance in licence applications about not only the chainanalytics tool being used, but also the ability of the MLRO and compliance officer to understand such tools and the training that they have undertaken to assure such understanding; such is the sophistication of the Authority's AML team.

Commentary from our BVI office

The Virtual Asset Service Provider Act (VASP Act), administered by the Financial Services Commission (FSC) seeks to mitigate the risks identified by FATF, particularly in relation to peer-to-peer stablecoin transactions. Licensed entities are required to implement stringent AML/CFT measures, including robust customer due diligence (CDD), enhanced transaction monitoring, effective suspicious activity reporting, and strong internal controls, all in line with FATF Recommendation 15 and related guidance.

Currently, the issuance of stablecoins as a standalone activity is not regulated in the BVI under either the VASP Act or the Securities and Investment Business Act (SIBA). Unless the stablecoin issuance activity is bundled with an activity regulated under the VASP Act or SIBA, the act of issuance itself generally falls outside the purview of both the VASP Act and SIBA. We are aware that the FSC is considering regulating the issuance of stablecoins in the BVI but no draft legislation or legislative timeline has been published in this respect.

Commentary from our Cayman Islands office

While there is no separate regulatory framework for stablecoins in the Cayman Islands, stablecoins are typically deemed to be 'virtual assets' under the Virtual Asset (Service Providers) Act and therefore the public issuance of stablecoins and/or the provision of exchange, custody, transfer and/or certain other financial services in relation to stablecoins is regulated in the Cayman Islands and supervised by the Cayman Islands Monetary Authority.

The provision of any such services in relation to stablecoins is also within scope of the Cayman Islands Anti-Money Laundering Regulations ('AMLRs'), which includes mandatory customer due diligence, transaction monitoring, suspicious transaction reporting, sanctions/asset freezing requirements and the implementation of related policies and procedures and internal controls. The provision of transfer services in relation to stablecoins is specifically subject to the 'Travel Rule' requirements set out in Part 10A of the AMLRs, which requires service providers to identify, verify, and transmit specific information regarding the originators and beneficiaries of virtual asset transfers. Service providers receiving a transfer from an entity that is not a regulated VASP or other obliged entity (e.g., from an individual user using his/her own DLT software, such as an unhosted wallet) or sending to a non-obliged entity, must obtain the required originator/beneficiary information from their customer.

Commentary from our Guernsey office

The Guernsey Financial Services Commission ('GFSC') has published draft rules for a new licensed stablecoin regime, which could see Guernsey become a leading jurisdiction for stablecoin issuers. The GFSC is currently reviewing feedback from industry and we expect that the proposals will be refined and finalised shortly.

The draft rules require that licensed stablecoins are at least 100% backed by high quality liquid assets owned by the issuer in the currency that is 'pegged' to the coin. There are also requirements around the reserve assets backing the coin, the ring-fencing of those reserve assets, a prohibition on the reserve assets from being used as collateral or otherwise encumbered, a 3 month maximum redemption period for the underlying debt instruments (typically government bonds, treasuries and money-market instruments), capital requirements, reporting, disclosure, audit and attestation requirements and a requirement that the stablecoin is redeemable on no more than five calendar days’ notice.

The GFSC are considering yield-bearing stablecoins that pay interest or other rewards, and commodity-backed stablecoins.

Licensed stablecoin issuers will be required to comply in full with Guernsey's AML/CFT/CPF regime, including applying the travel rule. We expect that licensed stablecoin issuers will be required to address and mitigate much of the risks identified by FATF in the Report.

Commentary from our Ireland office

The activities of offering or seeking admission to trading of stablecoins in the EU and providing crypto-asset services in the EU are regulated under the Markets in Crypto-Assets Regulation (Regulation (EU) 2023/1114) (MiCAR). Stablecoins are categorised in MiCAR as (i) E-Money Tokens (EMTs), linked to a single fiat currency, which may be issued by authorised credit institutions or e-money institutions, and (ii) Asset Referenced Tokens (ARTs), which are asset or multi-currency backed, and may be issued by authorised credit institutions or entities specifically authorised under MiCAR.

Issuers of EMTs and Crypto-Asset Service Providers (CASPs) are obliged entities for AML/ATF purposes, requiring them to implement, for example, AML and customer due diligence policies, transaction monitoring, suspicious transaction reporting, and sanctions/asset freezing procedures.

As pointed out by the FATF in the report, ART issuers authorised under MiCAR (i.e. which are not credit institutions), are not obliged entities for AML/CFT purposes under the current EU AML framework. The AML Regulation (Regulation (EU) 2024/1624), which forms part of the incoming AML package, also does not extend the scope of obliged entities to capture ART issuers. Nonetheless, AML/ATF obligations will apply to CASPs providing services in relation to ARTs, and national competent authorities (NCAs) are expected to assess ML/FT risks when assessing applications for ART issuances (e.g. due diligence on management body and qualifying holders, assessing arrangements with CASPs, and examining the business model in light of the applicant's overall risk assessment which should cover inherent and residual risks of ML/FT). Additionally, as part of the application phase, applicants are required to provide a comprehensive description of the risk management systems and controls, explaining the applicant issuer’s strategy for identifying, assessing, monitoring, mitigating and reporting all risks the applicant issuer is or might be exposed to, including ML/FT risks. Currently, there are no ART issuers authorised in the EU.

Separately, the Transfer of Funds Regulation (Regulation (EU) 2023/1113) requires CASPs to collect, verify and submit certain information about the originator (i.e. a person that holds a crypto-asset account or address) and the beneficiary (i.e. a person that is the intended recipient of the transfer of crypto-assets) of crypto-asset transfers (the so-called 'travel rule'). In case of a transfer to or from a self-hosted address (i.e. non-custodial wallets), CASPs are required to collect the information on both the originator and the beneficiary, usually from their customer. CASPs are, in principle, not required to verify the information on the user of the self-hosted address, however, where a transfer exceeds EUR 1 000, CASPs should verify whether the self-hosted address is effectively owned or controlled by that customer.

Regarding stablecoin oversight, NCAs supervise ART and EMT issuers. Where ARTs/EMTs are classified as "significant" under MiCAR, the supervisory college framework applies and supervisory responsibilities for issuers are transferred from NCAs to the European Banking Authority.

Commentary from our Jersey office

The Jersey Financial Services Commission ('JFSC') has published and maintains the Real World Assets Tokenisation Guidance Note ('TGN'), which, amongst other matters, covers the requirements of issuers of stablecoins from a Jersey perspective.

Per the TGN, stablecoins are not considered virtual assets and instead are defined as tokens that are fully collateralised by cash or cash equivalents. An issuer of stablecoins is currently required to procure a consent from the JFSC under the Control of Borrowing (Jersey) Order 1958 ('COBO') to issue stablecoins. This is a one-off consent and whilst there are likely to be bespoke conditions attaching to the consent that need to be complied with, this does not amount to prudential regulation or supervision by the JFSC.

Per the TGN, issuers of stablecoins are required to appoint a locally regulated trust company service provider ('TCSP') to administer the issuer. An issuer of stablecoins is also required to:

a) apply all relevant AML/CFT/CPF requirements on issuance and redemption of stablecoins and perform enhanced measures where higher AML/CFT/CPF risks are identified, to effectively manage and mitigate those higher risks;
b) develop and implement policies, procedures and controls including those in relation to conduct, customer due diligence and transaction monitoring, screening, suspicious activity reporting and record keeping; and
c) monitor the implementation of those policies, procedures and controls, and enhance them if necessary.

In practice, these AML requirements are often discharged by the regulated TCSP appointed to the issuer.

The application to the JFSC for a COBO consent to issue stablecoins must also include information on who the issuer will directly sell the stablecoin tokens to, for example authorised participants, and who can redeem their tokens for fiat. Any appointed authorised participants to the structure should be of a reputable standing and based in jurisdictions that do not feature on the list of countries and territories identified as presenting higher risks, which forms part of the JFSC's AML/CFT/CPF Handbook.

Jersey's legislative framework for digital assets, including issuers of stablecoins, is evolving at pace with the aim of providing proportionate regulation in this innovative sector whilst upholding international standards.

Next steps for participants in the stablecoin ecosystem

Those that participate in the stablecoin ecosystem should be aware of ML/TF/PF risks and vulnerabilities associated with stablecoins, particularly in connection with P2P transactions via unhosted wallets. Such participants may wish to consider and, where relevant, implement the good practices detailed in the Report to mitigate the misuse of stablecoins for financial crime.

[View source.]

Send Print Report

Related Posts

• The CFATF recognises the significant progress that the BVI has made to improve its compliance with the FATF's 40 Recommendations
• FATF Fifth Round Mutual Evaluation – Are you ready?
• Update on the British Virgin Islands and the FATF's list of jurisdictions under increased monitoring

Latest Posts

• The FATFs Targeted Report on Stablecoins and Unhosted Wallets
• Statutory framework for Cayman Islands tokenised funds now final See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

©
Walkers

Written by:

Walkers Contact + Follow Niall Esler + Follow Lucy Frew + Follow Chris Hutley-Hurst + Follow Dilmun Leach + Follow Gemma Palmer + Follow Leonie Tear + Follow Iona Wright + Follow more less

PUBLISH YOUR CONTENT ON JD SUPRA

• ✔ Increased readership
• ✔ Actionable analytics
• ✔ Ongoing writing guidance Join more than 70,000 authors publishing their insights on JD Supra

Start Publishing »

Published In:

AML/CFT + Follow Best Practices + Follow Blockchain + Follow Cryptocurrency + Follow Digital Assets + Follow Digital Wallets + Follow Financial Action Task Force + Follow Peer-to-Peer + Follow Regulatory Oversight + Follow Stablecoins + Follow Finance & Banking + Follow International Trade + Follow Science, Computers & Technology + Follow more less

Walkers on:

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: Sign Up Log in ** By using the service, you signify your acceptance of JD Supra's Privacy Policy.* - hide - hide